agenttesla | f6d967435c3fdbc87483ed30cb16031cfd6e582fc13a6449cab72654033fc725

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Balance payment.exe
Size

392KB
MD5

9380d44800fbdf3899fe1d04af533d1f
SHA1

a052510980763e83d19c3f9824ea58a5f4eab2b3
SHA256

0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904
SHA512

8e2e205984f1672df25d4c78fca631290706e793677f480b0d088e60bdbef6b91b5e7752175cef0d85fc6c381adf39c64cb3ba6c4578ddbd5b7a79dff9f7be99
SSDEEP

6144:WSodkdIGvvJXFj+3vsW5qeP0sCuTiw14LqcCiNMF2eR2BQ1hZnhG5rO/lGFNzTbn:WSFdIGZVjukc044NCiSx71HsKGXJSA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Balance payment.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	Balance payment.exe

Drops startup file 1 IoCs

Processes:

Balance payment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs Balance payment.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

Balance payment.exe

description pid process target process

PID 4804 set thread context of 432 4804 Balance payment.exe Balance payment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	Balance payment.exe

description	pid	process	target process
PID 4804 set thread context of 432	4804	Balance payment.exe	Balance payment.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4076 ipconfig.exe
2648 ipconfig.exe

pid	process
4076	ipconfig.exe
2648	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Balance payment.exepowershell.exemsedge.exemsedge.exeBalance payment.exeidentity_helper.exe

pid	process
4804	Balance payment.exe
4792	powershell.exe
4792	powershell.exe
1064	msedge.exe
1064	msedge.exe
3144	msedge.exe
3144	msedge.exe
432	Balance payment.exe
432	Balance payment.exe
432	Balance payment.exe
1436	identity_helper.exe
1436	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Balance payment.exepowershell.exeBalance payment.exe

description	pid	process
Token: SeDebugPrivilege	4804	Balance payment.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	432	Balance payment.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Balance payment.execmd.execmd.exepowershell.exemsedge.exe

description	pid	process	target process
PID 4804 wrote to memory of 1148	4804	Balance payment.exe	cmd.exe
PID 4804 wrote to memory of 1148	4804	Balance payment.exe	cmd.exe
PID 4804 wrote to memory of 1148	4804	Balance payment.exe	cmd.exe
PID 1148 wrote to memory of 2648	1148	cmd.exe	ipconfig.exe
PID 1148 wrote to memory of 2648	1148	cmd.exe	ipconfig.exe
PID 1148 wrote to memory of 2648	1148	cmd.exe	ipconfig.exe
PID 4804 wrote to memory of 4792	4804	Balance payment.exe	powershell.exe
PID 4804 wrote to memory of 4792	4804	Balance payment.exe	powershell.exe
PID 4804 wrote to memory of 4792	4804	Balance payment.exe	powershell.exe
PID 4804 wrote to memory of 1164	4804	Balance payment.exe	cmd.exe
PID 4804 wrote to memory of 1164	4804	Balance payment.exe	cmd.exe
PID 4804 wrote to memory of 1164	4804	Balance payment.exe	cmd.exe
PID 1164 wrote to memory of 4076	1164	cmd.exe	ipconfig.exe
PID 1164 wrote to memory of 4076	1164	cmd.exe	ipconfig.exe
PID 1164 wrote to memory of 4076	1164	cmd.exe	ipconfig.exe
PID 4792 wrote to memory of 3144	4792	powershell.exe	msedge.exe
PID 4792 wrote to memory of 3144	4792	powershell.exe	msedge.exe
PID 3144 wrote to memory of 2340	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2340	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1064	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1064	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2888	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2888	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2888	3144	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8335f46f8,0x7ff8335f4708,0x7ff8335f4718
4⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
4⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
4⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
4⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
4⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
4⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
4⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
4⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
4⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
4⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
4⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
4⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12819495960714111485,7943752168501945971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
4⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:4076

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Balance payment.exe.log

Filesize
1KB

MD5
8c2da65103d6b46d8cf610b118210cf0

SHA1
9db4638340bb74f2af3161cc2c9c0b8b32e6ab65

SHA256
0e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac

SHA512
3cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f0cdba3e639a70bf26cf85d538ce1a8

SHA1
b457faa0d6c55d56d61167674f734f54c978639b

SHA256
c1e48c2dfaeb607efc713e1b5c01d1ee8a9491d8f3a2a5f4f3887e6c1f8c2f63

SHA512
3c270fc58170c37f51427aac2d3092ddbbc17832556718612cebb0c32c04e7e3b7e157969d458a4b9c3e8bf781c23489319338960cefb5cf530673f2b8f81609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
559b995a430d497e7112920aace7c38d

SHA1
791787198eab26fe6f3e7a2c385f437d2a55fa6f

SHA256
62f651b2310688bc1e08f73be35e208d6013dd64d4f6b8b860e7547080a82b8e

SHA512
e0acaf643dc95daf5192ddfc3d5f8135c8d996a00573f8b812a870a8ad938d802288db90e28b5a22fa2bd933a29a179ac7d2e3f4680c50780407b286af10301e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d721b66238ee2b4004cfb3d7417d97f

SHA1
e5c6a91eaef45c9be32ca08892a1e3b5c4082e1f

SHA256
a55405fe49041958ec2f08bb37dbf2815b318a8604902149d874370525b63f96

SHA512
2d092906f25e376fb3062e2ebd1b8d9356f35fdf4e47b1fc6bf0ab45c7b6beb8dee7f35119b84e93c776a44a5c9cfa7145ee3d7114fcb2a95701b1c1b7b45315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62b0ff414d9d9fad44e2dbeec67d1503

SHA1
b358fea1d164170d3429ae195959ec8dc8c5375c

SHA256
fbc3c0e018fd83127f7a349fddf7278e28e7606bb9e5acca13f3ab3f9bd4545f

SHA512
b8be72a666bea3ed2899f013b87157c0be53be6c25ff575d1d46ca18b484664a7f11884bae110e98ae095a958feefb195fe1842cbeb4d14767d21b7c42898e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
13db66f979dc73ce34c0fbe425598af9

SHA1
3aaeb4a4edd21c26332abf8ba4b266a95d8e9145

SHA256
8ef7dc6ac2b32264422db1b654412a3a29844262f9e75628c60d163f80d2abe2

SHA512
10129a146a5b0ac7c3edc55de4bae1ca34ba08dea6740a9cf0b1e1c10b74099c9428af2900fef8be376141b086800d62559b13fa512dc565af0c4e9aa35f22bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
014b69ca3ebc11d909f6bf5d6e81364e

SHA1
a81e581ec2eaae1621c668577a1543e9f212c1d3

SHA256
9fced02296e4109ff241662128440dbb2bf9a5eef700b8f85dc2e33a8b24c653

SHA512
d7411dc50b16c675c41b1a3ea760301e14fda1fbb28c9d0a848ab7f68e353779546cae246c326191cdee8e402a032746f2e5c3d63d1acfe3506abdfb521e723d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
0c16ab3a40e497efff260e9cec1d2956

SHA1
6d974e76130cacddfd302d2668e9a82526f22755

SHA256
5729cc51ba6e11c8e058eb7bc012cc4a9ac459e6740ce2ecf4c8fa9799066633

SHA512
b5229bc9d4d061e8da3b61e1c9c066f67e750d2afdc226b865f622ca051c8c0ca1cff1acdb516c7ea0564d35590767546bf51400ca24c71d38cd92c6ed75865f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
cc098c23d23516c80209ae6d9089eafb

SHA1
7184f340cf5df5e60d4a88396aaf0ca310799be1

SHA256
cd8a5e76e5db8889454380378c4c60e139a62db21d7370fa9b8af83e399cc904

SHA512
7c6237b1dd5d7a1571003efe59fc6b0240cb46722da9b27054dab2ba04f6b1bb2e1d7f4eca2b82a1811987dcb517d491348a3017157094c4e1453c95158fc302

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1sny1jy.x0y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_3144_DXQDXHXQKVELAMJK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/432-86-0x0000000006260000-0x00000000062FC000-memory.dmp

Filesize
624KB

Download
memory/432-78-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/432-77-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/432-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/432-85-0x0000000006170000-0x00000000061C0000-memory.dmp

Filesize
320KB

Download
memory/432-126-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/432-127-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4792-14-0x00000000025D0000-0x0000000002606000-memory.dmp

Filesize
216KB

Download
memory/4792-15-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4792-32-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/4792-33-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/4792-34-0x0000000006B00000-0x0000000006B96000-memory.dmp

Filesize
600KB

Download
memory/4792-35-0x0000000006080000-0x000000000609A000-memory.dmp

Filesize
104KB

Download
memory/4792-36-0x00000000060D0000-0x00000000060F2000-memory.dmp

Filesize
136KB

Download
memory/4792-40-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4792-30-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/4792-25-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4792-24-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4792-17-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4792-18-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/4792-31-0x0000000005850000-0x0000000005BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4792-16-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4804-76-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4804-1-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4804-11-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4804-10-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4804-9-0x0000000005960000-0x00000000059AC000-memory.dmp

Filesize
304KB

Download
memory/4804-8-0x0000000005920000-0x0000000005960000-memory.dmp

Filesize
256KB

Download
memory/4804-7-0x00000000055D0000-0x0000000005610000-memory.dmp

Filesize
256KB

Download
memory/4804-6-0x00000000057C0000-0x0000000005818000-memory.dmp

Filesize
352KB

Download
memory/4804-5-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/4804-4-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4804-3-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/4804-2-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/4804-0-0x0000000000AA0000-0x0000000000B08000-memory.dmp

Filesize
416KB

Download